 Hello. Good morning. We have a couple of minutes. I just want to say repeat this is a beginner level talk. There is a lot of stuff that I have not been to it. Just so you know we can cover the concepts you know in an easy to learn manner or something. There are steps to do this. Focus on what I am talking about in terms of the principles. Because there are so many different ways of doing this. The principles remain the same. Try to see how it is applicable to your situation. We can do the Q&A in between. Raise your hand and repeat the question for the camera so that we have 40 minutes for the talk and the Q&A. The principles are more important. You can easily figure out how to work out doing it in the end. I will also be giving you when I publish the slides on the funnel page. I will also be giving you a simple PDF. If you want to follow the steps you know what I have done. You can use that like a workbook and add your own steps. Please repeat the question. My name is Akash. I will be talking about securing a Linux web server in 10 steps or less. When I say a Linux web server, I mean a Linux server, Linux distribution. I am talking about Ubuntu 10.04 LTS running a web server, running a database server and running SSH. These are the basic things that you do for a lab stack or even if you want to do something with a biker or with a Django or Ruby or something. You will have these things in place. You will have the web server. If you prefer Nginx, Lighty, I don't know. But the principles remain the same. I am talking about Apache. I am talking about MySQL and I am talking about OpenSSN. So, my first slide. Can anyone name this aircraft? Where were I? It's Stealth, yes. But Blackbird was never Stealth. It was just too fast. It was like Mac 3 Plus. SR-71. Someone said 117. Yeah, that's what it is. It is F117 Nighthawk. This is the first Stealth aircraft the world had. It was operational for some 20 or years and after being commissioned by the US Air Force in 1982, for 16 years, they did not even acknowledge that this thing existed. They are based in this state of Nevada in the US. Area 51 and all the alien sightings or the UFOs or whatever, it's possible people are looking at this. Why is this here? Reduce attack surface. That's the principle. That's the security principle I am talking about. How does this do it? There was a brilliant Russian physicist who figured out that the radar does not rely on how heavy or how big an object is. It's like sending something, getting something back. But it is relying on how many straight edges that object has, the flying object. So Lockheed, which is a big defense contractor in the US, they have this group called the SCUM works, which is like they do the black projects, the top secret or the ultra top secret or whatever. In the 70s they figured out they have the material, they had the computational capability to programmatically figure out what kind of radar signature, something like a flying machine like this would have. And this one, this is one of those planes, it is meant for stealth. So it's not as fast as the other planes available. A fast plane means that it has something called the afterburner and the engines and they give off a distinct heat signature. So this is purely meant as stealth by reducing the attack surface. So if you go to Wikipedia you can see different pictures and it just does not look like any other normal plane that you will see. The next evolution of this is something called the B2 Spirit, which is a bomber from them and that's still in operations and it looks even weirder than this. Okay, so what I mean by reduced attack signature or surface in Linux? What is the attack surface? When you talk about a Linux server, the first attack surface or first point of attack surface is all the TCP and UDP ports listening on the external interfaces, the external facing IP addresses, the IP address someone can use to reach your machine, be it a DNS you know to the resolution with an A record or someone doing a Nmap scan or whatever it is. Okay, how would you do that? The first thing to do is what is visible? This is the command. You need to be root. Okay, it will tell you the process otherwise it will not tell you the process. Whenever it says hash like you know this is an internal joke in root cons, the three hashes mean you know it's the root problem. Next that space minus energy UP. This will tell you N stands for do not resolve. So it will tell you the exact IP, it will not tell you the host name. It will tell you the port number, it will not tell you the service name. L means for listening, T is for TCP, U is for UDP and P is what process spawned that you know what is the process listening for that port. Right, so if you want to kill it or something you can figure it out. What? Yeah but this is only meant for ports listening on external interfaces. Obviously it will show for internal interfaces but if it says 127.0.0.1 that's local host. If it says 0.0 or in the IPv6 format 0 colon colon something that means it's listening on all ports. Okay, this is basically telling you this is my Linux server on the external interface someone can reach this port number. Okay, so now the question is how do we reduce this? This is the attack surface. This will give you a list of things. So how do you reduce this? So there are couple of ways. One is by stopping services from running. Okay, this is Ubuntu so now you can use the service command as well but the standard way that Ubuntu is to use slashetc slash init.t whatever the service name is and stop. You can say start or you can say restart or if you give some wrong thing here parameter here will tell you what are the options which are valid. Okay, so you already have a server once you figure out that there are bunch of ports open these services are listening on the external interface what you need to do is this is how you stop them. You can also make sure that if the server boots those services are removed using the update rc.d command. Okay, it's there are bunch of options. The simplest is if you give the service name and you say remove it will not start at boot time it won't be available in the runtime run level 0 1 2 3 whatever not 0 or 0 is like starting. Okay, and you can do one thing this is specially recommended for MySQL if your web server and the MySQL database server are on the same host MySQL doesn't need to listen to the on the external IP right because that connection can be a local it can be a TCP connection you don't want to do IPC that's fine but it can be a local host connection your web server will still be able to find that right so this is something that you can add now this this is true for Apache as well your web server as well there is a place where you specify which IP to listen on which interface to listen on by default it's usually given as all so then you can do you know if you're on the machine itself you can do a local host in your browser you'll reach the web page or you can get the actual IP you'll give whatever the IP is your machine has it will still reach the web page okay so in case you have a proxy or you know you are like running nginx or something else in the front end and apache is meant for something else or maybe you're running mongrel or whatever you know one of these application type of servers if they don't need to be available on the internet they should be you know running on this okay make sense this is what it should look like for our reference implementation where we are talking about MySQL database listening on the local host interface your apache web server on port 80 I've not taken you know the SSL part of it and SSH running on port 22 right this is good enough for you to serve any kind of LAN pages right all your PHP will work you have a database you have the web server with mod php and you can copy files over SSH if you're wondering why there is no port 21 you should not be using ftp for copying any tool you use to copy files over ftp the same tool you can use to copy files over SSH or scp mostly when what we do like if you're in the cloud or we have a vps we have to rely on the distro or the kernel already available to us right in case we have the advantage we have you know we can set up our own or you're setting up a virtual machine or you're setting up a machine which you will be migrating to the cloud start with a mini ISO okay this is when they release a standard open-to-release or Debian release they also come up with this mini ISO this is just enough to set up your networking and set up your base system and give you a shell okay obviously then you have to do a little more work but this definitely means none of the extra things are on this right this is another way of reducing the attack surface I'm not going to go into like how this can be attacked but it will be so you can install SSH which you will need definitely you know later you can install your LAN packages using a command called task cell you have to set task cell space, LAN, hyven server and it will install it there are a bunch of options if you want to install a desktop open-to desktop with KDE or with couple of others right whatever yeah there's another one with L x12 what is I'm using that currently yeah xfc yeah so there's an option for that there are no compilers extra libraries nothing is there how is it a good thing first of all it takes less space so you know copying it taking snapshots creating it again will be easy the other thing is if you really want the compilers or whatever you can start with a package called build essentials that will install your C compiler and all that okay this is another way of reducing the attack surface this may be relevant when you have a lot of users who will be you know accessing your system they will have SSH access they will be able to execute processes even though non-privileged processes but let's say you have not updated your kernel you have not patched it recently and there is a local exploit available okay something that will allow them to elevate their privilege or something you can avoid that because there's no compiler whatever they'll first have to install that and figure out things out batches and updates this is very important I don't need to tell you Ubuntu and Debian I mean most Linux distributions make it very very simple to update in batch the only thing you have to worry about is will it break my production server and you know that's something that you can figure out but it's very important my recommendation choose a long term support release in LDS when you are using Ubuntu okay for Debian they usually say you're stable for RHEA nobody will pay money for that but if you're using CentOS then say that you know now you should move to maybe 6 because in 2014 CentOS 5. whatever next version is it's running out of support but 6 will be supported for the next 10 years okay whatever you choose choose something which has long term support the whole point of setting up a server is that you should not have to spend too much time maintaining it unless you're into tinkering or whatever okay that's a different use case in Ubuntu is a very simple command to update in batch okay this is it your root you do app get update and app get upgrade when you do an upgrade if there is something available the packages to be downloaded it will ask you do you want to download that you can avoid that by giving a minus y the only reason I have not mentioned it is that it's a good practice to see what is going to get updated there is another thing that if you don't you know your server is so critical there should be no downtime there is this tool called VM Slice or VM Slice something like that which will upgrade your kernel without requiring a restart oh yeah KM Slice sorry so you know upgrade your kernel without requiring a restart the only time a server needs to be restarted but for production use of a commercial use you have to pay money if you're using it at home there's no money to be paid it's like some three dollars per server per month or something okay protecting your access cat door is always open the point of this picture is that a server which is functional which is solving some purpose will have some kind of access open okay if you have a server where there are no files need to be copied nothing needs to be updated logs need not be taken out so access is going to be there so what are we going to do about it okay now the paranoid folks what they will do they will not have what access is you know apparent like I'm saying that your SSH is running on tcv port 22 but they will have something called port knocking or they'll have a you know single page which they have access of that if you access that web page which will have some random streams or something then SSH will start listening and then you can log in okay I'm not going to do that I'm just trying to make it very simple in the simplest form you are going to have SSH access you need to protect it okay so what do we do the number one reason I think for hacked linux servers a hacked linux server is worth a lot of money for the simple reason you have all these tools you can you know script a lot of things and these tend to keep running they don't need to be restarted or you know reinstalled or whatever okay the number one reason is SSH server password boot forcing what is that it simply means that you have user accounts you have root you have some standard user accounts you know in some companies it's a tradition to have the user name as the same name as company name or the project name you know project name might have a proper name and a nickname so user accounts tend to look at that or there could be a user like backup or you know developer there are standard user accounts that people use and these can be brute force brute force simply means that someone is going to keep trying different password combinations till they figure out now why does this work because we suck at keeping good passwords our passwords tend to be like you know 6 characters 5 characters only alphabets lower case things like that okay I am not going to get into that but consider that this is the number one reason for hacked linux servers but we need SSH access so what do we do in the simplest terms so the conventional wisdom says if you try to read if you google for securing SSH securing linux server this is what you will find okay this is all good needs to be done don't allow root to login you know there is an option for that in SSHD don't use passwords use keys which is again a good thing you are by default if you launch a EC2 instance in Amazon there is no password access at all you have to generate a key pair and then you have to use that okay a .pem file or if you are using putty you have to like import it then save it as the public private and use that only use SSH version 2.0 some of the old sysco routers even now don't have this because to pay for the upgrade for the OS of the sysco router is very expensive so there is some SS version 1.0 whatever and it has some standard attacks okay so this is the conventional wisdom this is what you will find there traditionally this is what the problem is password boot forcing requires valid users a valid password can only exist for a valid user lots of people use keys without pass phrases it's a good thing to use a key but then someone has to steal that key I don't know how many of you know recently yahoo released extension for browser I think for chrome and they had embedded the private key in that and then they had to like revoke it or something a lot of people if someone is targeting you they will try to steal your private keys and once the key is gone it's gone because a lot of people don't keep pass phrases it's like they think that if there is a key nobody knows the password I have the key but the key can be lost stolen something like that one additional change you should make in your etc ssd config is to have use this directive called allow users it's a simple option here you can specify either the username or if you have the advantage of a static id for your internet presence specify it with that static ip which will mean is it's not that people will still not try to brute force the password but they will not be successful because this user from this ip only that is allowed to access your ssd now I personally use this I have a vps somewhere which is one of the cheap vps like some 6 dollars a month or something and that I use only for the static ip I get my servers where I am managing for my clients or whatever from that ip certain users are allowed access which means if my home system is hacked or whatever there is still some kind of protection but it also means if the vps goes down and they change their ip then I am screwed basically but you know then it's up to you but this is something most people do not tend to mention they allow users which is already available with ssh and you should start using this the other thing that if you believe that you can have some security, you know keep a random user not have an English word, take a Hindi word and put it in English call it like adhyapak or I don't know what is the word for manager yeah because most of the people who are trying to brute force they have these dictionaries which are for English words right so till you know we have hackers from the Hindi heartland you are safe the most important part, how much time do I have? the most important part I was not sure if I should add this slide but I realized if I want to explain the rest of the talk to you this is important a lot of people are not very clear about how permissions are derived or what certain permissions mean we will do a simple exercise what I have given here is you have your read, write and execute that's the standard thing and you have user group and others U, G, O, R, W, X right so it maps to how you give permissions for files and folders and if you need to figure out what this is this simply means this is not a directory the first three belong to user has read, write and execute which corresponds to 7 if you use octal a lot of people give that you might have ranted about developers giving 7, 7, 7 and that being a problem why is that a problem so for the group you have read and execute so if you are probably the same group you can at least map to that directory and you can read, you can see what files are there but you can't make changes and others have read you may not have to give this but I am just trying to do that so R, W, X for user, R minus X for group and R minus minus for others so this and this is same okay now anyone has any questions about this because the next part depends on this you don't get it you don't have questions so this is a typical thing I see in Bangalore different people from different parts of India have different ways of nodding this is a yes, this is a yes, this is a yes or a no or maybe so it's very interesting okay so everyone gets it good before we go to that into gundu or debian this is something that you should do I don't know if it really helps it but this is a recommended by everyone so maybe you can look at it in etc apache, docon.de, security these two lines are line number 27 and 39 which is server tokens and server signature they are commented you can uncomment these so if I have to find out what your website is running and I am not trying to run a tool or something whatever your domain name is after that I will give a 1 or I will give some name which I know that file does not exist if you are not having if you don't have a custom 404 error page below it will tell me exactly what this is running what mod proxy and you know you have that fast CGI or whatever whatever whatever right now does it really help the attacker or does it fault the attacker no but why make it easy it's as simple as that and there is no cost of just uncommenting two lines so if you are running apache you should uncomment these two for mysql I am repeating this if database and web server are on the same host on the same computer then mysql server should only listen on local host there is no need for it to listen on anything else I don't think there is any performance benefit either ways there is nothing else so in your etc-ql-my.cnf my.cnf is used when you use the standard mysql configuration which is meant for like medium sites there is a keyword called bind-address as far as Ubuntu goes I think this is default value but then I have seen some instances on Amazon where this is not the default value okay so this is something that you can check part of your checklist you can have that it's listening on this only if your database server and the web server are on the same machine okay then you have to give the external accessible IP otherwise your PHP script or whatever your web server has to read the database they need to know which machine to go to but I will tell you how to protect that the next thing to do this is a script provided by default it's your install when you have when you install mysql server you should run this so it will do three distinct things okay one is if you don't have a root user password it will make sure that you set a root user password the root user of the mysql server okay not your system root mysql server the database server it has users so the root user of that it will set up the other thing is it will remove the test database the test database is if there was a blank user and mysql basically ships to the blank user where you don't put anything if you just say mysql you have access to the test database it will remove the test database and it will also remove the blank user it might also ask you to not only allow root user access if you're on the same machine but I'm not sure of that okay the other thing to do is when you create a new database you should always create a different user in some cases I've seen the same user being used the chances of the credentials getting leaked or something are higher or if one site you know you have one website you have virtual host or whatever and one website credentials are gone then you have to go manually change it everywhere else so if you have ten websites or ten places you can change the password it just makes more sense to have one user for one database and also do not give grand privileges or any kind of privileges using if there is a problem with your application there are ways of writing to an out file you know if you have execute in you know enabling the privileges and that only works right to the out file then whatever the attacker will do will do for your standard websites I don't think there's need for anything apart from these six things select update insert delete alter and create the other thing is the user when you create a new user you should always specify where the user can login from place locally ensures that obviously you know someone from outside will not be login but at the same time just specify this you can specify a percentage which means that any host don't use that either have it local host specify local host or specify the exact IP where the MySQL connection will be made from right if your database is on a different host okay don't give percentage that's just lazy okay and it doesn't help you because come to think of it whatever your application does most of it the core part the you know the main part of your application is about the database your application is you know processing stuff and putting in database so there is some what you call the intellectual property whatever you want to call it is in the database okay and we tend to be very lax about that because the defaults work and our website looks you know it works properly we don't tend to think about that the other thing to do is to use the uncomplicated firewall there's not a new firewall there's just an interface to the same thing that IP tables does okay if you've seen IP tables format I mean I don't have any complicated rules I don't understand it there are like your NAT tables and the forward and accept there are a bunch of these keywords every time I have to configure that I have to go in the house okay and the problem with any kind of security configuration is if it is difficult to understand it is difficult to train everyone at the same level it is difficult to assure that you will be able to configure it properly so when it comes to this nice thing called the UWF it's called the uncomplicated firewall like the name very simple just do it enabled and then you allow the ports you want to allow now if you see it's 22 80 443 if you want now there is no need to allow 3306 if your database server is on the same machine right and then you do default deny after you allow what you have to allow you didn't deny so it will make sure that nothing else is connecting does that make sense okay it will create the resultant IP table format so if you want you can go customize that but this is just an interface for that so you know it makes it easier for us to understand like reading this rule set is far easier than sometime when we see and it will follow the best practices like it will do the established well I think that if the connection is allowed or whatever you know if it's established will allow it and all that yes once this is set you can use the UFW status it will show you this format if you do IP tables minus L capital L it will show you that format it's up to you you can mix and match yeah it's basically a wrapper yeah that's a better way than in database so if you need to and I mean I've had people because database sometimes you know they want to have like a separate machine and everything for backup for security or whatever you can do this UFW allow from external db IP to the current host IP this is the public IP address of the machine where your firewall rules are going to be 4 3 3 0 6 that's it so in case you still have to do it first you made sure that the user you created inside the MySQL server right that could only log in from that external db IP and now you have enabled that in the firewall you have poked the hole so that you know your access is available this is the port for MySQL so even in if it's local host it's listening on 3 3 0 6 if you have enabled db IP otherwise it could be a socket based connection also but I don't know I have never used socket I personally disabled that it's faster that's faster but I mean how much of a difference will it make what is slide length microseconds so if you can do IPC do IPC but that will be like not everything in right to the socket it has to be some privilege process but only MySQL can write so then the standard file permissions but that's only because it has a MySQL driver to connect to that socket and the question is how do you protect right and read access to that the socket okay so some kind of a reference architecture please feel free to follow it please feel a little discarded this is what I think a basic application will look like the document root this is your web server document root whatever is inside this directory will get served okay so if you make a mistake if you do dbconfig.php.back your web server is going to serve that as a text file because you know it's like it's inside the document root so document root should only contain files that are meant to be served to the user now I'm sure there are many many many exceptions to this rule where you have to put it inside that like in .NET you have a web.config which has to be part of the document root but then the web server takes care that is never served like apache by default will not serve any file which starts with .hd you can set up a file for .hd1 it doesn't have to be .hd access apache will refuse to serve it because by default the .hdbconfig itself that is given now everything which is required for your web application but doesn't need to be served to the user then you can outside the document root because all the web server needs is read access to that file the browser where people access it from the user agent don't need to do anything about it so maybe this is how what you can do you have your website running in site folder public is whatever all the files that you will be serving index.php or whatever it is and then you have a private folder which is obviously the document root is this where www.sitepublic and those will get served your .hdbconfig other things can be in private as long as this group which is what the web server is running as the process apache web server running is running as www.data this group has read access to this folder they will be able to read the file you know uploads tend to be most use cases you get uploads for picture of the profile or media or something now people tend to think that it has to be inside document root if you are not going to serve that same whatever is getting uploaded then it can be outside but if you are going to use the same images or something then obviously it has to be here only that folder should have right access for the group does that make sense so what you do is you use ssh with your user your user is called foo and you copied the files now the owner of those files is user foo now that foo user or those files can have the group as www.data and then based on the permission set the web server will be able to write to it read from it execute you know go inside that directory you don't need to set others to 777 that only happens when your files and folders the owner is someone else and they are not part of this group right so then you are going to give others access to execute and write which is a big no no because it leads to other things so finally what we did and this is definitely less than 10 steps is start from a mini iso an ideal case and you remove the unwanted services to reduce your attack surface then you whitelist user for ssh login only that user from that ip or only that user can login the myoskill user has been protected right because you have set that use user from this ip or this host is allowed to access this database and you are not using standard root user and you have a default deny in your firewall and you have allowed certain whatever you wanted whatever services remain after you have removed the unwanted services you have port 22 for ssh so you can do your files your shell and file access then you have your web server and your database and you keep that okay his question is what's your name some of question is can you restrict access based on a user agent to the content you can try but you do need to understand the user agent string is coming from outside your server so if someone changes that it's a no the only problem then is you can do it like maybe the default duplicate user agent whatever which one it is that is blocked right and that you can do it at the web server level but if someone changes it then you wouldn't know and it's very easy to change the user agent because it's part of the http header right so okay so okay so i used to think that's a good idea and there are two problems with that first of all if you rely on some you know tools for automated deployments or whatever everywhere you have to specify the port okay so whatever it is eventually it has to connect to some port the tcbi connection has to go somewhere right so it has to connect to some port which the server is listening on if it's not listening on 22 it can't go through right so you could do that now the problem is what i have read and i think you know Kingsley might be a better person to answer this question is if you listen on a high port above 1023 then any non-privileged user can also listen you know create a process which listens on that port okay now i was trying to find some references where this has been a problem in the real world i was not able to but i don't know have you seen that would you recommend that running it on non-standard port see basically port scan is one technique okay basically what you're doing is if i figure out what port response on an ip i can send enough data for it to reply and ssh by default expect some kind of a cert certification type of message to go through or at least you know what cryptography it will support and all that it will reply with some error so if the idea is that your bot should not fill up your logs right that's the only thing it's going to protect you the automated attacks will happen 22 is not responding it's not that the bot will stop but your logs will not get filled up your auth.log but does that really help you with anything else i'm not sure but if you whitelist the user then you're assured that if your you know password is very basic but they can't figure out what the user name was they'll never be able to log in okay but again what you say might make sense but i wouldn't do it on a machine where a lot of other users who i don't know personally had shell access and no in the sense like you can't stop someone from running a process which listens on a tcp port after 1023 from 1 to 1023 is for privileged user for root right anything above is anything else right so if you run like some people run it on 2222 i'll give you a scenario for some reason your sz stops working okay you get a message and someone starts their rogue sz that's the only example i've gotten so far but what you're doing is you're bypassing as long as you keep it in so another good suggestion if you don't want to run on 22 you see what are the other services you know up till 1023 and you run it on that the pain is that then every client that you use to connect you to ssh you will have to specify that port number yeah run it on 22 with the whitelist user that's what i would recommend that's how i run it so it depends on how you keep your password also right if your password is simple or there was this security company called they used to run this website called rootkits.com okay that person has written a book also so obviously definitely knows a lot about security but his admin received a mail which seemed to be from him saying that i am in some conference in the middle east i need to access i have forgotten the ssh password can you send it to me can you reset and send it to me that person did that and then you know there was some 28,000 emails no this is before anonymous this was called the anti-security anti-sec these are a bunch of hackers from Saudi Arabia and all that were just pissed off with everyone in the world so it is before your anonymous all that but when you whitelist and you have a good password or you have a pass phrase in public key, private key that gives you more assurance right and that's what i would suggest oh there's another thing what i've not covered what you should think of you should be looking at your logs maybe you know there are a bunch of people are talking about there's a talk on what is that friendly or something then i guess this log watcher whatever is suitable for you there's a talk on that you should be monitoring them like at least if your server goes down your ssh goes down or something happens you should get some kind of an alert you might do something with it might not do something with it but depending on you know how much money was spent on your production system monitoring some people pay a lot of money or you can use a simple tool which monitors website monitor.us or something which will just tell you if your port is down okay and additionally you should be thinking of whitelisting in host.allow or you should be host or deny sorry we are missing so this is just a tcp wrapper you can specify the service and you know which ip or subnet or you know network with a wildcard is allowed to access so if you use something like fail to ban or deny hosts which is another protection for again brute forcing that if there is some you know x number of connections in some time duration which are all failing for your ssh access then that ip is put in host.deny okay my problem with that is for some reason if your ip gets banned then what do you do that happen because there was like one developer working and then he was out of the office so he the other person who was supposed to work on it called him to get the password did not want to send a text message now this developer told him the password over the phone but there was some miscommunication so he kept trying kept trying and then they got banned so then they had to call their support to reset the password it happens you know it's funny when it happens to other people but it does happen so I don't really recommend the banning strategy just like that apart from this that's it that's all I have yeah you can your question is can I ban for ssh based on country yes you can do that you can specify an entire ip block so if you are thinking of banning users from china or russia or whatever you can there is a really cool tool called block finder it's on jithub you put in the two letter country code you tell you all the ip blocks from that country you can put that in your configuration that's all you do you know the problem with that is it's possible that the person who's actually trying to monitor might be sitting in the next house they might be just going through china so you can start blocking but it's like a never ending slope at one point you will have blocked everyone but yourself but yes you can do that any other questions is that a question or your opinion his opinion is that absolute security is a myth I think it's an economics problem it depends on the time you have and the money you have and the paranoia you have anything else okay okay I'm out of time thank you thank you so much